From 579697054bf3b2515eeefdc622442a2b829d6342 Mon Sep 17 00:00:00 2001
From: McLayn <mclayn.v@gmail.com>
Date: Thu, 1 May 2025 06:00:09 +0200
Subject: [PATCH 1/4] fix #2026: Dividing variable by itself in loop_handler.go

---
 server/automation/automation/loop_handler.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/server/automation/automation/loop_handler.go b/server/automation/automation/loop_handler.go
index 86c6c3dbd4..654c25cc6e 100644
--- a/server/automation/automation/loop_handler.go
+++ b/server/automation/automation/loop_handler.go
@@ -26,6 +26,15 @@ func LoopHandler(reg loopHandlerRegistry, p expr.Parsable) *loopHandler {
 	return h
 }
 
+func signOf(n int64) int64 {
+    if n > 0 {
+        return 1
+    } else if n < 0 {
+        return -1
+    }
+    return 0
+}
+
 func (h loopHandler) sequence(_ context.Context, args *loopSequenceArgs) (wfexec.IteratorHandler, error) {
 	if !args.hasFirst {
 		args.First = 0
@@ -39,8 +48,9 @@ func (h loopHandler) sequence(_ context.Context, args *loopSequenceArgs) (wfexec
 		args.Step = 1
 	}
 
-	if args.First*(args.Step/args.Step) >= args.Last*(args.Step/args.Step) {
-		return nil, fmt.Errorf("failed to initialize counter iterator with first step greater than last")
+	sign := signOf(args.Step)
+	if args.First*sign >= args.Last*sign {
+		return nil, fmt.Errorf("failed to initialize counter iterator with first value greater than last or with zero step")
 	}
 
 	i := &sequenceIterator{

From f44c9d1a56b0ba48701a3ca1e09d4db382bd7085 Mon Sep 17 00:00:00 2001
From: Mahjabin Binte Mannan <78349997+Mahjabin08@users.noreply.github.com>
Date: Thu, 9 Oct 2025 15:11:41 +0600
Subject: [PATCH 2/4] Fixed localkey in page_layout.go (#2206)

Co-authored-by: Mahjabin Binte Mannan <mahjabin@Mahjabins-MacBook-Air.local>
---
 .../cortezaproject/corteza/server/compose/types/page_layout.go  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extra/server-discovery/vendor/github.com/cortezaproject/corteza/server/compose/types/page_layout.go b/extra/server-discovery/vendor/github.com/cortezaproject/corteza/server/compose/types/page_layout.go
index 79cc70a136..7592ac25d3 100644
--- a/extra/server-discovery/vendor/github.com/cortezaproject/corteza/server/compose/types/page_layout.go
+++ b/extra/server-discovery/vendor/github.com/cortezaproject/corteza/server/compose/types/page_layout.go
@@ -175,7 +175,7 @@ func (p *PageLayout) decodeTranslations(tt locale.ResourceTranslationIndex) {
 			"{{actionID}}", strconv.FormatUint(actionID, 10),
 		)
 
-		if aux = tt.FindByKey(rpl.Replace(LocaleKeyPagePageBlockBlockIDTitle.Path)); aux != nil {
+		if aux = tt.FindByKey(rpl.Replace(LocaleKeyPageLayoutConfigActionsActionIDMetaLabel.Path)); aux != nil {
 			p.Config.Actions[i].Meta.Label = aux.Msg
 		}
 	}

From cb7eea2977c588e78d4dc1d723f0864b48cf67fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C5=BEe=20Fortun?= <joze.fortun@gmail.com>
Date: Fri, 10 Oct 2025 15:55:30 +0200
Subject: [PATCH 3/4] Fix record list inline editor/filter overlapping inline
 actions

---
 .../src/components/PageBlocks/RecordListBase.vue   |  8 ++++++++
 .../PageBlocks/RecordListConfigurator.vue          | 14 +++++++-------
 .../Public/Page/Attachment/ListLoader.vue          | 12 ++++++++----
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/client/web/compose/src/components/PageBlocks/RecordListBase.vue b/client/web/compose/src/components/PageBlocks/RecordListBase.vue
index 320c014e57..81fe4def1c 100644
--- a/client/web/compose/src/components/PageBlocks/RecordListBase.vue
+++ b/client/web/compose/src/components/PageBlocks/RecordListBase.vue
@@ -2622,6 +2622,14 @@ tr:hover .inline-actions {
     width: 1%;
     font-family: var(--font-regular) !important;
   }
+
+  tbody {
+    tr {
+      td:nth-last-child(2) {
+        padding-right: 5rem;
+      }
+    }
+  }
 }
 
 .record-list-footer {
diff --git a/client/web/compose/src/components/PageBlocks/RecordListConfigurator.vue b/client/web/compose/src/components/PageBlocks/RecordListConfigurator.vue
index a63c831ff4..4ee0378555 100644
--- a/client/web/compose/src/components/PageBlocks/RecordListConfigurator.vue
+++ b/client/web/compose/src/components/PageBlocks/RecordListConfigurator.vue
@@ -791,21 +791,21 @@
               cols="12"
               lg="6"
             >
-              <b-form-group label-class="d-flex text-primary gap-1">
+              <b-form-group label-class="d-flex text-primary">
                 <template #label>
                   {{ $t('recordList.inlineEdit.enabled') }}
 
                   <column-picker
-                    size="sm"
-                    button-class="text-secondary border-0"
-                    variant="outline-extra-light"
+                    :module="recordListModule"
+                    :fields="options.inlineEditFields"
+                    :field-subset="options.fields.length ? options.fields : recordListModule.fields"
                     :button-tooltip="{
                       title: $t('recordList.inlineEdit.fields.configure.tooltip'),
                       container: '#body'
                     }"
-                    :module="recordListModule"
-                    :fields="options.inlineEditFields"
-                    :field-subset="options.fields.length ? options.fields : recordListModule.fields"
+                    variant="outline-extra-light"
+                    button-class="d-flex align-items-center text-secondary border-0 py-0 px-1 ml-1"
+                    size="sm"
                     @updateFields="onUpdateInlineEditableFields"
                   >
                     <font-awesome-icon
diff --git a/client/web/compose/src/components/Public/Page/Attachment/ListLoader.vue b/client/web/compose/src/components/Public/Page/Attachment/ListLoader.vue
index 10b62c00f0..18c79f88f6 100644
--- a/client/web/compose/src/components/Public/Page/Attachment/ListLoader.vue
+++ b/client/web/compose/src/components/Public/Page/Attachment/ListLoader.vue
@@ -53,9 +53,9 @@
             <b-button
               v-if="a.download"
               :href="a.download"
-              variant="outline-light"
+              variant="outline-extra-light"
               size="sm"
-              class="border-0 text-primary px-2 ml-2"
+              class="download-button text-secondary border-0 px-2 ml-2"
             >
               <font-awesome-icon :icon="['fas', 'download']" />
             </b-button>
@@ -112,9 +112,9 @@
           <b-button
             v-if="a.download"
             :href="a.download"
-            variant="outline-light"
+            variant="outline-extra-light"
             size="sm"
-            class="border-0 text-primary px-2"
+            class="download-button text-secondary border-0"
           >
             <font-awesome-icon :icon="['fas', 'download']" />
           </b-button>
@@ -372,4 +372,8 @@ export default {
 .item:hover {
   background-color: var(--gray-200);
 }
+
+.download-button:hover {
+  color: var(--primary) !important;
+}
 </style>

From 3ace4563ccf3ddb6fc39a10681ec9f611fe7077b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C5=BEe=20Fortun?= <joze.fortun@gmail.com>
Date: Tue, 14 Oct 2025 14:22:41 +0200
Subject: [PATCH 4/4] Add xss sanitization toggle to text fields

---
 .../ModuleFields/Configurator/String.vue      | 28 +++++++++++++++++++
 .../components/ModuleFields/Viewer/String.vue |  9 ++++++
 .../src/compose/types/module-field/string.ts  |  4 ++-
 locale/en/corteza-webapp-compose/field.yaml   |  3 ++
 server/compose/service/values/sanitizer.go    | 12 +++++---
 server/compose/types/module_field_options.go  | 19 ++++++++++++-
 6 files changed, 69 insertions(+), 6 deletions(-)

diff --git a/client/web/compose/src/components/ModuleFields/Configurator/String.vue b/client/web/compose/src/components/ModuleFields/Configurator/String.vue
index bd266c950d..3b145df251 100644
--- a/client/web/compose/src/components/ModuleFields/Configurator/String.vue
+++ b/client/web/compose/src/components/ModuleFields/Configurator/String.vue
@@ -7,6 +7,25 @@
     <b-form-checkbox v-model="f.options.useRichTextEditor">
       {{ $t('kind.string.richText') }}
     </b-form-checkbox>
+
+    <b-form-group
+      label-class="d-flex align-items-center text-primary"
+      class="mt-3"
+    >
+      <template #label>
+        {{ $t('kind.string.sanitizeXSS.label') }}
+        <c-hint
+          :tooltip="$t('kind.string.sanitizeXSS.warning')"
+          icon-class="text-warning"
+        />
+      </template>
+
+      <c-input-checkbox
+        v-model="f.options.sanitizeXSS"
+        :switch="true"
+        :labels="checkboxLabel"
+      />
+    </b-form-group>
   </div>
 </template>
 
@@ -19,5 +38,14 @@ export default {
   },
 
   extends: base,
+
+  data () {
+    return {
+      checkboxLabel: {
+        on: this.$t('general:label.yes'),
+        off: this.$t('general:label.no'),
+      },
+    }
+  },
 }
 </script>
diff --git a/client/web/compose/src/components/ModuleFields/Viewer/String.vue b/client/web/compose/src/components/ModuleFields/Viewer/String.vue
index 28c3a1f034..597985c36a 100644
--- a/client/web/compose/src/components/ModuleFields/Viewer/String.vue
+++ b/client/web/compose/src/components/ModuleFields/Viewer/String.vue
@@ -5,10 +5,19 @@
       class="rt-content"
     >
       <p
+        v-if="field.options.useRichTextEditor"
         :style="{ 'white-space': field.options.useRichTextEditor && 'pre-line' }"
         :class="[ 'multiline' && field.isMulti || field.options.multiLine, ...classes ]"
         v-html="formatted"
       />
+
+      <p
+        v-else
+        :style="{ 'white-space': field.options.useRichTextEditor && 'pre-line' }"
+        :class="[ 'multiline' && field.isMulti || field.options.multiLine, ...classes ]"
+      >
+        {{ formatted }}
+      </p>
     </div>
   </div>
 </template>
diff --git a/lib/js/src/compose/types/module-field/string.ts b/lib/js/src/compose/types/module-field/string.ts
index f18a941600..58292310aa 100644
--- a/lib/js/src/compose/types/module-field/string.ts
+++ b/lib/js/src/compose/types/module-field/string.ts
@@ -7,6 +7,7 @@ interface StringOptions extends Options {
   multiLine: boolean;
   useRichTextEditor: boolean;
   multiDelimiter: string;
+  sanitizeXSS: boolean;
 }
 
 const defaults = (): Readonly<StringOptions> => Object.freeze({
@@ -14,6 +15,7 @@ const defaults = (): Readonly<StringOptions> => Object.freeze({
   multiLine: false,
   useRichTextEditor: false,
   multiDelimiter: '\n',
+  sanitizeXSS: true,
 })
 
 export class ModuleFieldString extends ModuleField {
@@ -32,7 +34,7 @@ export class ModuleFieldString extends ModuleField {
     super.applyOptions(o)
 
     Apply(this.options, o, String, 'multiDelimiter')
-    Apply(this.options, o, Boolean, 'multiLine', 'useRichTextEditor')
+    Apply(this.options, o, Boolean, 'multiLine', 'useRichTextEditor', 'sanitizeXSS')
   }
 }
 
diff --git a/locale/en/corteza-webapp-compose/field.yaml b/locale/en/corteza-webapp-compose/field.yaml
index a9e93c5ca7..7026e10571 100644
--- a/locale/en/corteza-webapp-compose/field.yaml
+++ b/locale/en/corteza-webapp-compose/field.yaml
@@ -164,6 +164,9 @@ kind:
     label: String
     multiLine: Multi line
     richText: Use Rich Text Editor
+    sanitizeXSS:
+      label: XSS Sanitization
+      warning: Disabling XSS sanitization is dangerous and may expose your application to security vulnerabilities. Only disable if you fully trust the data source and understand the risks.
   url:
     example: 'Example URL: https://example.com'
     label: URL
diff --git a/server/compose/service/values/sanitizer.go b/server/compose/service/values/sanitizer.go
index 30a92d44cd..0689e21456 100644
--- a/server/compose/service/values/sanitizer.go
+++ b/server/compose/service/values/sanitizer.go
@@ -140,7 +140,7 @@ func (s sanitizer) RunXSS(m *types.Module, vv types.RecordValueSet) types.Record
 
 		switch strings.ToLower(f.Kind) {
 		case "string":
-			v.Value = sString(v.Value)
+			v.Value = sString(v.Value, f.Options.SanitizeXSS())
 		}
 	}
 
@@ -258,13 +258,17 @@ func sNumber(num interface{}, p uint, s uint) string {
 	return str
 }
 
-func sString(str interface{}) string {
+func sString(str interface{}, sanitizeXSS bool) string {
 	base, err := cast.ToStringE(str)
 	if err != nil {
 		return ""
 	}
 
-	return xss.RichText(base)
+	if sanitizeXSS {
+		return xss.RichText(base)
+	}
+
+	return base
 }
 
 // sanitize casts value to field kind format
@@ -278,7 +282,7 @@ func sanitize(f *types.ModuleField, v interface{}) string {
 		// @todo !! This is temporary; precision and scale require a rework
 		v = sNumber(v, maxPrecision, f.Options.Precision())
 	case "string":
-		v = sString(v)
+		v = sString(v, f.Options.SanitizeXSS())
 	}
 
 	return fmt.Sprintf("%v", v)
diff --git a/server/compose/types/module_field_options.go b/server/compose/types/module_field_options.go
index c1ee1d532c..6ba8810706 100644
--- a/server/compose/types/module_field_options.go
+++ b/server/compose/types/module_field_options.go
@@ -4,9 +4,10 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"fmt"
+	"strconv"
+
 	"github.com/cortezaproject/corteza/server/pkg/sql"
 	"github.com/spf13/cast"
-	"strconv"
 )
 
 type (
@@ -37,6 +38,8 @@ const (
 	moduleFieldNumberOptionPrecision         = "precision"
 	moduleFieldNumberOptionPrecisionMin uint = 0
 	moduleFieldNumberOptionPrecisionMax uint = 6
+
+	moduleFieldStringOptionSanitizeXSS = "sanitizeXSS"
 )
 
 func (opt *ModuleFieldOptions) Scan(src any) error          { return sql.ParseJSON(src, opt) }
@@ -181,3 +184,17 @@ func (opt ModuleFieldOptions) Index() *ModuleFieldOptionIndex {
 
 	return nil
 }
+
+// SanitizeXSS - should XSS sanitization be applied to this string field?
+func (opt ModuleFieldOptions) SanitizeXSS() bool {
+	// Default to true if not set
+	if _, has := opt[moduleFieldStringOptionSanitizeXSS]; !has {
+		return true
+	}
+	return opt.Bool(moduleFieldStringOptionSanitizeXSS)
+}
+
+// SetSanitizeXSS - set whether XSS sanitization should be applied to this string field
+func (opt ModuleFieldOptions) SetSanitizeXSS(value bool) {
+	opt[moduleFieldStringOptionSanitizeXSS] = value
+}